|
|
Sponsored Content
Special Forums
Cybersecurity
setting ACL's
Post 3842 by andy_kann on Thursday 12th of July 2001 05:28:33 AM
07-12-2001
|
|
10 More Discussions You Might Find Interesting
1. Programming
I need to compile a file,but 'make' does
not work.please tell me how to use it or
need which tools? (3 Replies)
Discussion started by: dsun5
3 Replies
2. Shell Programming and Scripting
I wonder how I shall read the result below, especially 'what'
shown below.
The result was shown when I entered 'w'.
E.g what is TOP? What is gosh ( what does selmgr mean?)?
login@ idle JCPU PCPU what
6:15am 7:04 39 39 TOP
6:34am 6:45 45 45 TOP
6:41am ... (1 Reply)
Discussion started by: Aelgen
1 Replies
3. UNIX for Dummies Questions & Answers
Hi, guys, I have a big problem.
I've got a sun solaris 4.1.4 workstation, and the /var/adm/message file will add one row every few seconds. It becomes a large file in a short time.
I wander if there are some mistakes configuring the workstation.
the /var/adm/message is as follow:
... (3 Replies)
Discussion started by: cloudsmell
3 Replies
4. UNIX for Dummies Questions & Answers
echo 'it's friday'
why appear the > (3 Replies)
Discussion started by: yls177
3 Replies
5. UNIX for Advanced & Expert Users
Somehow someone created a file named '-ov' in the root directory.
Given the name, the how was probably the result of some cpio command they bozo'ed.
I've tried a number of different ways to get rid of it using * and ? wildcards, '\' escape patterns etc.. They all fail with " illegal option --... (3 Replies)
Discussion started by: GSalisbury
3 Replies
6. Shell Programming and Scripting
Hopefully this doesn't come off as too much of a "newbie" question or a flamebait. But I have recently begun working with a Sun Solaris box after having spent the past five years working with RedHat. From what i can tell, thing look fairly similar and the 'man' command is some help. But I've... (7 Replies)
Discussion started by: deckard
7 Replies
7. Linux
Hi,
while setting access control list I am getting error "Operation NOt Supported"
Example :user A wants full access on test directory /home/user B/test, I dont want to add in secondary group bcz group has read permission, (1 Reply)
Discussion started by: manoj.solaris
1 Replies
8. AIX
Hi,
I want to know how to set acl in aix via smitty and shell prompt, wheather we needs to install additional packages. (0 Replies)
Discussion started by: manoj.solaris
0 Replies
9. UNIX for Dummies Questions & Answers
Folks;
How can i setup ACL in Apache so i can give a group of users (defined by their emails (all users under *@red.com) access to a web page? (10 Replies)
Discussion started by: moe2266
10 Replies
10. UNIX for Beginners Questions & Answers
Folks,
Solaris 10 issue
When I add a new directory to a path, I only get the "group@" line in the ACL
The parent directory ACL is
drwxrws---+ 12 root teama 12 Jul 18 10:31 .
owner@:rwxp-DaARWc---:------:allow
group@:rwxp-DaARWc--s:fd----:allow
... (0 Replies)
Discussion started by: wilberforce
0 Replies
LEARN ABOUT OPENDARWIN
ioctl_ns
IOCTL_NS(2) Linux Programmer's Manual IOCTL_NS(2) NAME
ioctl_ns - ioctl() operations for Linux namespaces DESCRIPTION
Discovering namespace relationships The following ioctl(2) operations are provided to allow discovery of namespace relationships (see user_namespaces(7) and pid_names- paces(7)). The form of the calls is: new_fd = ioctl(fd, request); In each case, fd refers to a /proc/[pid]/ns/* file. Both operations return a new file descriptor on success. NS_GET_USERNS (since Linux 4.9) Returns a file descriptor that refers to the owning user namespace for the namespace referred to by fd. NS_GET_PARENT (since Linux 4.9) Returns a file descriptor that refers to the parent namespace of the namespace referred to by fd. This operation is valid only for hierarchical namespaces (i.e., PID and user namespaces). For user namespaces, NS_GET_PARENT is synonymous with NS_GET_USERNS. The new file descriptor returned by these operations is opened with the O_RDONLY and O_CLOEXEC (close-on-exec; see fcntl(2)) flags. By applying fstat(2) to the returned file descriptor, one obtains a stat structure whose st_dev (resident device) and st_ino (inode number) fields together identify the owning/parent namespace. This inode number can be matched with the inode number of another /proc/[pid]/ns/{pid,user} file to determine whether that is the owning/parent namespace. Either of these ioctl(2) operations can fail with the following errors: EPERM The requested namespace is outside of the caller's namespace scope. This error can occur if, for example, the owning user namespace is an ancestor of the caller's current user namespace. It can also occur on attempts to obtain the parent of the initial user or PID namespace. ENOTTY The operation is not supported by this kernel version. Additionally, the NS_GET_PARENT operation can fail with the following error: EINVAL fd refers to a nonhierarchical namespace. See the EXAMPLE section for an example of the use of these operations. Discovering the namespace type The NS_GET_NSTYPE operation (available since Linux 4.11) can be used to discover the type of namespace referred to by the file descriptor fd: nstype = ioctl(fd, NS_GET_NSTYPE); fd refers to a /proc/[pid]/ns/* file. The return value is one of the CLONE_NEW* values that can be specified to clone(2) or unshare(2) in order to create a namespace. Discovering the owner of a user namespace The NS_GET_OWNER_UID operation (available since Linux 4.11) can be used to discover the owner user ID of a user namespace (i.e., the effec- tive user ID of the process that created the user namespace). The form of the call is: uid_t uid; ioctl(fd, NS_GET_OWNER_UID, &uid); fd refers to a /proc/[pid]/ns/user file. The owner user ID is returned in the uid_t pointed to by the third argument. This operation can fail with the following error: EINVAL fd does not refer to a user namespace. ERRORS
Any of the above ioctl() operations can return the following errors: ENOTTY fd does not refer to a /proc/[pid]/ns/* file. CONFORMING TO
Namespaces and the operations described on this page are a Linux-specific. EXAMPLE
The example shown below uses the ioctl(2) operations described above to perform simple discovery of namespace relationships. The following shell sessions show various examples of the use of this program. Trying to get the parent of the initial user namespace fails, since it has no parent: $ ./ns_show /proc/self/ns/user p The parent namespace is outside your namespace scope Create a process running sleep(1) that resides in new user and UTS namespaces, and show that the new UTS namespace is associated with the new user namespace: $ unshare -Uu sleep 1000 & [1] 23235 $ ./ns_show /proc/23235/ns/uts u Device/Inode of owning user namespace is: [0,3] / 4026532448 $ readlink /proc/23235/ns/user user:[4026532448] Then show that the parent of the new user namespace in the preceding example is the initial user namespace: $ readlink /proc/self/ns/user user:[4026531837] $ ./ns_show /proc/23235/ns/user p Device/Inode of parent namespace is: [0,3] / 4026531837 Start a shell in a new user namespace, and show that from within this shell, the parent user namespace can't be discovered. Similarly, the UTS namespace (which is associated with the initial user namespace) can't be discovered. $ PS1="sh2$ " unshare -U bash sh2$ ./ns_show /proc/self/ns/user p The parent namespace is outside your namespace scope sh2$ ./ns_show /proc/self/ns/uts u The owning user namespace is outside your namespace scope Program source /* ns_show.c Licensed under the GNU General Public License v2 or later. */ #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <fcntl.h> #include <string.h> #include <sys/stat.h> #include <sys/ioctl.h> #include <errno.h> #include <sys/sysmacros.h> #ifndef NS_GET_USERNS #define NSIO 0xb7 #define NS_GET_USERNS _IO(NSIO, 0x1) #define NS_GET_PARENT _IO(NSIO, 0x2) #endif int main(int argc, char *argv[]) { int fd, userns_fd, parent_fd; struct stat sb; if (argc < 2) { fprintf(stderr, "Usage: %s /proc/[pid]/ns/[file] [p|u] ", argv[0]); fprintf(stderr, " Display the result of one or both " "of NS_GET_USERNS (u) or NS_GET_PARENT (p) " "for the specified /proc/[pid]/ns/[file]. If neither " "'p' nor 'u' is specified, " "NS_GET_USERNS is the default. "); exit(EXIT_FAILURE); } /* Obtain a file descriptor for the 'ns' file specified in argv[1] */ fd = open(argv[1], O_RDONLY); if (fd == -1) { perror("open"); exit(EXIT_FAILURE); } /* Obtain a file descriptor for the owning user namespace and then obtain and display the inode number of that namespace */ if (argc < 3 || strchr(argv[2], 'u')) { userns_fd = ioctl(fd, NS_GET_USERNS); if (userns_fd == -1) { if (errno == EPERM) printf("The owning user namespace is outside " "your namespace scope "); else perror("ioctl-NS_GET_USERNS"); exit(EXIT_FAILURE); } if (fstat(userns_fd, &sb) == -1) { perror("fstat-userns"); exit(EXIT_FAILURE); } printf("Device/Inode of owning user namespace is: " "[%lx,%lx] / %ld ", (long) major(sb.st_dev), (long) minor(sb.st_dev), (long) sb.st_ino); close(userns_fd); } /* Obtain a file descriptor for the parent namespace and then obtain and display the inode number of that namespace */ if (argc > 2 && strchr(argv[2], 'p')) { parent_fd = ioctl(fd, NS_GET_PARENT); if (parent_fd == -1) { if (errno == EINVAL) printf("Can' get parent namespace of a " "nonhierarchical namespace "); else if (errno == EPERM) printf("The parent namespace is outside " "your namespace scope "); else perror("ioctl-NS_GET_PARENT"); exit(EXIT_FAILURE); } if (fstat(parent_fd, &sb) == -1) { perror("fstat-parentns"); exit(EXIT_FAILURE); } printf("Device/Inode of parent namespace is: [%lx,%lx] / %ld ", (long) major(sb.st_dev), (long) minor(sb.st_dev), (long) sb.st_ino); close(parent_fd); } exit(EXIT_SUCCESS); } SEE ALSO
fstat(2), ioctl(2), proc(5), namespaces(7) COLOPHON
This page is part of release 4.15 of the Linux man-pages project. A description of the project, information about reporting bugs, and the latest version of this page, can be found at https://www.kernel.org/doc/man-pages/. Linux 2017-09-15 IOCTL_NS(2)